Skip to content
SQLi scanner to detect SQL vulns
Branch: master
Clone or download
Latest commit b294740 May 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.screenshots Add precisions in the Apr 17, 2019 Add precisions in the Apr 17, 2019 Update README May 20, 2019 Add -U and -w options Apr 11, 2019 Fixed Issue #6 May 11, 2019 Correct minor bugs and rename main to Apr 17, 2019 Add command line options Apr 8, 2019
requirements.txt Adapt for python3 compatibility Apr 17, 2019 Fixed Issue #6 May 11, 2019

ScanQLi License Python 2|3 Twitter


ScanQLi is a simple SQL injection scanner with somes additionals features. This tool can't exploit the SQLi, it just detect them.

Tested on Debian 9


  • Classic

  • Blind

  • Time based

  • GBK (soon)

  • Recursive scan (follow all hrefs of the scanned web site)

  • Cookies integration

  • Adjustable wait delay between requests

  • Ignore given URLs


1. Install git tool.

apt update
apt install git

2. Clone the repo.

git clone

3. Install python required libs

apt install python-pip
cd ScanQLi
pip install -r requirements.txt

For Python 3 please install python3-pip and use pip3.


python scanqli -u [URL] [OPTIONS]


Simple URL scan with output file:

python -u '' -o output.log

Recursive URL scanning with cookies:

python -u '' -r -c '{"PHPSESSID":"4bn7uro8qq62ol4o667bejbqo3" , "Session":"Mzo6YWMwZGRmOWU2NWQ1N2I2YTU2YjI0NTMzODZjZDVkYjU="}'


ScanQLi was created to perform pentest or others legal stuffs (like bug bounty). Using ScanQLi against web site without authorization is forbidden.

I'm not responsible of your usage of ScanQLi. At your own risk.

You can’t perform that action at this time.